Received: (at 77478) by debbugs.gnu.org; 10 May 2025 09:30:14 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 10 05:30:14 2025 Received: from localhost ([127.0.0.1]:43904 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uDgX8-0005Lx-62 for submit <at> debbugs.gnu.org; Sat, 10 May 2025 05:30:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56144) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1uDgX6-0005Gc-3U for 77478 <at> debbugs.gnu.org; Sat, 10 May 2025 05:30:12 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1uDgX0-0001VV-El; Sat, 10 May 2025 05:30:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=cyVEFxoguXDAY/9wT5UX1hsQpQ8WmGv0NoGvaAzlm3w=; b=e7GnElyA6Cme J3RoaIgGjEPiqoXGc2tsG+3Sc09GQiMFegyhQ9WehsvxeaWZZB89CqZrkj1RnBiyyNkNcRA2JiNpe 2tuOdUXRlzfHia6N6aXF7aMuVoE0YLEATMKJ5Ki8Ui6tUWUqJrrvjmnEd82b4gUmTCmOs0QNGRLbL wryQEmikLGmliDmy3SZdTaR8a77Qc957hIYJVk4ZVgKaUVJ3b1Fj8hTNozx+t5VdmJlpMHHcuU024 +fDUf5ZmhxpW7GZh54t+ivE7RwyQVGfWEwoZB3Z7+CvjItRLEF8wHPQuIuMGRw+Q2+fz6/lsy+/gt 8ANW/uQoqa6uN5tOmub4hw==; Date: Sat, 10 May 2025 12:30:03 +0300 Message-Id: <868qn4byp0.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: luangruo@HIDDEN In-Reply-To: <86bjsjuper.fsf@HIDDEN> (message from Eli Zaretskii on Sat, 26 Apr 2025 14:34:52 +0300) Subject: Re: bug#77478: Fixes a crash in the Haiku font driver for daemon mode References: <86cydtg3e5.fsf@HIDDEN> <ca240b51-773d-4df6-ae26-30f07a5435fc@HIDDEN> <86cydhmx3e.fsf@HIDDEN> <86bjsjuper.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77478 Cc: kyle@HIDDEN, 77478 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Ping! Ping! Po Lu, please respond. > Cc: kyle@HIDDEN, 77478 <at> debbugs.gnu.org > Date: Sat, 26 Apr 2025 14:34:52 +0300 > From: Eli Zaretskii <eliz@HIDDEN> > > Ping! Po Lu, any suggestions or comments? > > > Cc: 77478 <at> debbugs.gnu.org > > Date: Sat, 12 Apr 2025 14:35:17 +0300 > > From: Eli Zaretskii <eliz@HIDDEN> > > > > > Date: Thu, 03 Apr 2025 07:10:53 +0000 > > > From: "Kyle Ambroff-Kao" <kyle@HIDDEN> > > > > > > This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce: > > > > > > 1. Start emacs with "emacs --daemon" > > > 2. Create a new frame with "emacsclient -c" and then close it. > > > 3. Create a new frame with "emacsclient -c" > > > > > > Step 3 will cause the Emacs daemon to crash. > > > > > > KERN: debug_server: Thread 3616 entered the debugger: Debugger call: > > > `tried to free 0xb960bc9fd0 which points at page 232 which is not an > > > allocation first page' > > > > > > The backtrace from Emacs: > > > heap_free(void*) + 0x35 > > > BFont_close + 0x4d > > > haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893) > > > sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242) > > > garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247) > > > Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084) > > > internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *) > > > + 0x6c (/Code/emacs/src/eval.c:1699) > > > safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114) > > > map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*) > > > + 0x2b (/Code/emacs/src/keymap.c:608) > > > ... > > > > > > It appears that the BFont has already been closed. I think that the > > > driver is holding on to the pointer to the freed BFont > > > (into->be_font). This patch addresses this by setting be_font to NULL so > > > that this pointer will not be freed again. > > > > > > The same thing applies to info->metrics and info->glyphs, since just > > > making this change to be_font wasn't enough to avoid crashes. > > > > > > With this patch I can open and close as many frames as I want without > > > crashing. > > > > > > I don't totally understand the interactions here, and I see there are > > > similar bugs in other font drivers with different workarounds. For > > > example, in Bug#16069 which I found from xfont.c:xfont_close, it seems > > > like there is an attempt to just not free the fonts when GC is invoked. > > > > > > I think the solution in this patch seems a little simpler, but possibly > > > means that the fonts are initialized every time the frame count goes > > > from 0 to 1 or more instead of just once for the life of the daemon. > > > > Po Lu, any suggestions or comments? > > > > > > > > > > > >
bug-gnu-emacs@HIDDEN:bug#77478; Package emacs.
Full text available.Received: (at 77478) by debbugs.gnu.org; 26 Apr 2025 11:35:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 07:35:13 2025 Received: from localhost ([127.0.0.1]:58823 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u8doO-0004or-U3 for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:35:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33136) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1u8doM-0004kc-Ob for 77478 <at> debbugs.gnu.org; Sat, 26 Apr 2025 07:35:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1u8doH-0000Sh-9w; Sat, 26 Apr 2025 07:35:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=IWcbO0qqHS6XALZ7fGr8QiSjt4clbNMIXkT0PuMbYE0=; b=rrgzxSVEDNXC XffQD/+k5iAwb2LRDHryadgp8SUqExkVE+DAkJG7GqZfUUzF8EX90SDgGbzLJ7qlQFxW2xCGslBGx hPMOh14wsstt6YLQ3Y6KFgsdc5YpB8h5xl+wmbD54tabwlE/NZ12xvjN0wcpapl3Y3cMxSprL6Geq JiZtPW4q0bGuvV+lKgjWAny1/JOSj8uBnjccgOYg6biHJnGMFw6GLCGclKW6JG5cJrToAeDeYMmLG rLA11IhlahJBiOYaPgC06im/BpomL8WlRTIluMKSYUFHDaIhhGSEKbQlgA28Vzk3oShs1Q7T+ttGR 2Xh9l5yvd/uCi4tMAo0duw==; Date: Sat, 26 Apr 2025 14:34:52 +0300 Message-Id: <86bjsjuper.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: luangruo@HIDDEN In-Reply-To: <86cydhmx3e.fsf@HIDDEN> (message from Eli Zaretskii on Sat, 12 Apr 2025 14:35:17 +0300) Subject: Re: bug#77478: Fixes a crash in the Haiku font driver for daemon mode References: <86cydtg3e5.fsf@HIDDEN> <ca240b51-773d-4df6-ae26-30f07a5435fc@HIDDEN> <86cydhmx3e.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77478 Cc: kyle@HIDDEN, 77478 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Ping! Po Lu, any suggestions or comments? > Cc: 77478 <at> debbugs.gnu.org > Date: Sat, 12 Apr 2025 14:35:17 +0300 > From: Eli Zaretskii <eliz@HIDDEN> > > > Date: Thu, 03 Apr 2025 07:10:53 +0000 > > From: "Kyle Ambroff-Kao" <kyle@HIDDEN> > > > > This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce: > > > > 1. Start emacs with "emacs --daemon" > > 2. Create a new frame with "emacsclient -c" and then close it. > > 3. Create a new frame with "emacsclient -c" > > > > Step 3 will cause the Emacs daemon to crash. > > > > KERN: debug_server: Thread 3616 entered the debugger: Debugger call: > > `tried to free 0xb960bc9fd0 which points at page 232 which is not an > > allocation first page' > > > > The backtrace from Emacs: > > heap_free(void*) + 0x35 > > BFont_close + 0x4d > > haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893) > > sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242) > > garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247) > > Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084) > > internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *) > > + 0x6c (/Code/emacs/src/eval.c:1699) > > safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114) > > map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*) > > + 0x2b (/Code/emacs/src/keymap.c:608) > > ... > > > > It appears that the BFont has already been closed. I think that the > > driver is holding on to the pointer to the freed BFont > > (into->be_font). This patch addresses this by setting be_font to NULL so > > that this pointer will not be freed again. > > > > The same thing applies to info->metrics and info->glyphs, since just > > making this change to be_font wasn't enough to avoid crashes. > > > > With this patch I can open and close as many frames as I want without > > crashing. > > > > I don't totally understand the interactions here, and I see there are > > similar bugs in other font drivers with different workarounds. For > > example, in Bug#16069 which I found from xfont.c:xfont_close, it seems > > like there is an attempt to just not free the fonts when GC is invoked. > > > > I think the solution in this patch seems a little simpler, but possibly > > means that the fonts are initialized every time the frame count goes > > from 0 to 1 or more instead of just once for the life of the daemon. > > Po Lu, any suggestions or comments? > > > >
bug-gnu-emacs@HIDDEN:bug#77478; Package emacs.
Full text available.Received: (at 77478) by debbugs.gnu.org; 12 Apr 2025 11:35:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 12 07:35:35 2025 Received: from localhost ([127.0.0.1]:54288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u3Z92-00082p-TG for submit <at> debbugs.gnu.org; Sat, 12 Apr 2025 07:35:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35908) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1u3Z8w-0007v7-Ob for 77478 <at> debbugs.gnu.org; Sat, 12 Apr 2025 07:35:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1u3Z8r-0006dZ-6B; Sat, 12 Apr 2025 07:35:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=08M+Qnaem0WUCn8Hqk11TmN/poVX1nH9nuv0tzGBzFc=; b=BAJYoQkABDNC tTAyUF1nhGVMV9hPDOz4qUN54XlhBDVExRwQesNFpVqq81aHkyhRVF4z9jEhx7bM9GDjYCWo0V6qU 201R9cA+bwZzxFLMv0ERnPDpQAT6oBnvSJaY/npcPvYlfNP8AmHBRxkvvJkqOcfa3q3uklAl6ucef wqn3rkQ0i8gYywRK2+K1P43Sp4n3Xcv3jSV+BmgYX5UrfvlTNana8FhuPSr503P/1aS17iVNsmtW2 x+b6hMHq33zFgGvxjHz8nnQSOZWqvb8GPXb9PtOapEJAPs0cXPtagZg5366ZOMB4XFNkrrtL4wA4C u3cAG3sWa/HDQFlAi1V69Q==; Date: Sat, 12 Apr 2025 14:35:17 +0300 Message-Id: <86cydhmx3e.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: "Kyle Ambroff-Kao" <kyle@HIDDEN>, Po Lu <luangruo@HIDDEN> In-Reply-To: <ca240b51-773d-4df6-ae26-30f07a5435fc@HIDDEN> (kyle@HIDDEN) Subject: Re: bug#77478: Details References: <86cydtg3e5.fsf@HIDDEN> <ca240b51-773d-4df6-ae26-30f07a5435fc@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 77478 Cc: 77478 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Thu, 03 Apr 2025 07:10:53 +0000 > From: "Kyle Ambroff-Kao" <kyle@HIDDEN> > > This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce: > > 1. Start emacs with "emacs --daemon" > 2. Create a new frame with "emacsclient -c" and then close it. > 3. Create a new frame with "emacsclient -c" > > Step 3 will cause the Emacs daemon to crash. > > KERN: debug_server: Thread 3616 entered the debugger: Debugger call: > `tried to free 0xb960bc9fd0 which points at page 232 which is not an > allocation first page' > > The backtrace from Emacs: > heap_free(void*) + 0x35 > BFont_close + 0x4d > haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893) > sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242) > garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247) > Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084) > internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *) > + 0x6c (/Code/emacs/src/eval.c:1699) > safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114) > map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*) > + 0x2b (/Code/emacs/src/keymap.c:608) > ... > > It appears that the BFont has already been closed. I think that the > driver is holding on to the pointer to the freed BFont > (into->be_font). This patch addresses this by setting be_font to NULL so > that this pointer will not be freed again. > > The same thing applies to info->metrics and info->glyphs, since just > making this change to be_font wasn't enough to avoid crashes. > > With this patch I can open and close as many frames as I want without > crashing. > > I don't totally understand the interactions here, and I see there are > similar bugs in other font drivers with different workarounds. For > example, in Bug#16069 which I found from xfont.c:xfont_close, it seems > like there is an attempt to just not free the fonts when GC is invoked. > > I think the solution in this patch seems a little simpler, but possibly > means that the fonts are initialized every time the frame count goes > from 0 to 1 or more instead of just once for the life of the daemon. Po Lu, any suggestions or comments?
bug-gnu-emacs@HIDDEN:bug#77478; Package emacs.
Full text available.Received: (at 77478) by debbugs.gnu.org; 3 Apr 2025 11:34:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 03 07:34:58 2025 Received: from localhost ([127.0.0.1]:33055 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u0IqX-0001qs-SY for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 07:34:58 -0400 Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145]:35601) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <kyle@HIDDEN>) id 1u0Eii-0005wI-7L for 77478 <at> debbugs.gnu.org; Thu, 03 Apr 2025 03:10:36 -0400 Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id DCE381380277 for <77478 <at> debbugs.gnu.org>; Thu, 3 Apr 2025 03:10:30 -0400 (EDT) Received: from phl-imap-11 ([10.202.2.101]) by phl-compute-12.internal (MEProxy); Thu, 03 Apr 2025 03:10:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ambroffkao.com; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm3; t=1743664230; x=1743750630; bh=Xu Y+hqk+vNDjSi73uA633dYF/08xUfKneHgEFyT6gjk=; b=cHbcS3FYDUo+aehfeB nEIEExI2lur+b0MpHNE+MTb/4PBLNtQKPZK3RmAJZlluOKlZ5ldrQaSmvr1SFFQ1 bHOMhUh/qaRhDKGvtAwDc5hhwn6w8BwYiZ74XzC3Ntl5Hcd99Mn3B4EfxfJLe2hi SYIvfGZVLiW5WEzkHfMaGRBkp/pfvG203GwpiMHVqujVFVtNzgtQA2R9K7x/ftnd cKcTW5If0SDh6gkjGSBEgYHnnBD787ZpKKuTyQ3t8v7nj63bEsx7Rm/oBjSVx2Dg gpm8BWa3qe00oUBlic1xXMabv4wtSZDqfFOJVbzkORg0eWfXuh5Cl0MCpZ+0UQyP 2rLQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1743664230; x=1743750630; bh=XuY+hqk+vNDjSi73uA633dYF/08xUfKneHg EFyT6gjk=; b=hYTPsPoonBH7tdbCKsPsuctrrI4vIGrsNvGZlf9KVzMshKj+FkJ NcG/kbDTZ4LW+911Q4DIPrkT7s0dIBOWe9pjqtIkSqEGXYRFCl7I2GOGh76ySMxK v+RZ8Y3fqjmksqMB3zATUSZYk1WXRq9Mcw8HlYrZOzhb9YHAHYfoG9Rfc0u1Bmd9 1zSzOBZ0AfDgQ804Ijw3O5hB3/w+DflZof5Ilp9z32jFSYJvLbDJUd6YXvyvNslg pgqR3eg+Faprmx1ohd1RrJ6lPKOcHSPKGMDviByBxz/bRi3Ozm8bVi8LR+o4IlEr iqcNVxnh7GRogCJrt/UZcgOX5OYGwTXFY+A== X-ME-Sender: <xms:ZjTuZ29_wEPrau_zsqt9MjaL1LjqArGQfSqqZG93_dpG8ROwkw3NmQ> <xme:ZjTuZ2sYvs8C6J7BNRy-eXI8h_XDAdRq26i-PQXoIxuMTYNe4jwnpoUI0DK8-A88X jo-926A0B7Ck0I7Gu8> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeejledvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkffutgfgsehtjeertdertddtnecuhfhrohhmpedfmfihlhgvucetmhgsrhhofhhf qdfmrghofdcuoehkhihlvgesrghmsghrohhffhhkrghordgtohhmqeenucggtffrrghtth gvrhhnpeffhfeiveehjefhieevfffffeevieelgeeghfeggfdtfeekueejjeetieeviedt vdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehkhi hlvgesrghmsghrohhffhhkrghordgtohhmpdhnsggprhgtphhtthhopedupdhmohguvgep shhmthhpohhuthdprhgtphhtthhopeejjeegjeekseguvggssghughhsrdhgnhhurdhorh hg X-ME-Proxy: <xmx:ZjTuZ8Df5IFGox4k4iQf6lEKfMEcCYMznbIdeUxKpN2pAW17YlwqWg> <xmx:ZjTuZ-cwXfniw81cCavTW-47-RrP3Qc-rYYpwRbSsZ3MhUF1vAwobg> <xmx:ZjTuZ7Mg1YlZVmdzfe__m0VT3c8NQc6QO7v_nRZ9M9_BaW--sqIEVg> <xmx:ZjTuZ4laCgsgKkkyPUz3LIMGBBdS9JMY50siq9rNK-QzKHwDPbfReg> <xmx:ZjTuZ3CemL6jumC4ehABf7xcVUBnpRd6rTlZkkKLcSzO8cmame-KKFgu> Feedback-ID: id7114994:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 82C3C2220073; Thu, 3 Apr 2025 03:10:30 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Thu, 03 Apr 2025 07:10:53 +0000 From: "Kyle Ambroff-Kao" <kyle@HIDDEN> To: 77478 <at> debbugs.gnu.org Message-Id: <ca240b51-773d-4df6-ae26-30f07a5435fc@HIDDEN> Subject: Details Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 77478 X-Mailman-Approved-At: Thu, 03 Apr 2025 07:34:55 -0400 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce: 1. Start emacs with "emacs --daemon" 2. Create a new frame with "emacsclient -c" and then close it. 3. Create a new frame with "emacsclient -c" Step 3 will cause the Emacs daemon to crash. KERN: debug_server: Thread 3616 entered the debugger: Debugger call: `tried to free 0xb960bc9fd0 which points at page 232 which is not an allocation first page' The backtrace from Emacs: heap_free(void*) + 0x35 BFont_close + 0x4d haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893) sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242) garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247) Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084) internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *) + 0x6c (/Code/emacs/src/eval.c:1699) safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114) map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*) + 0x2b (/Code/emacs/src/keymap.c:608) ... It appears that the BFont has already been closed. I think that the driver is holding on to the pointer to the freed BFont (into->be_font). This patch addresses this by setting be_font to NULL so that this pointer will not be freed again. The same thing applies to info->metrics and info->glyphs, since just making this change to be_font wasn't enough to avoid crashes. With this patch I can open and close as many frames as I want without crashing. I don't totally understand the interactions here, and I see there are similar bugs in other font drivers with different workarounds. For example, in Bug#16069 which I found from xfont.c:xfont_close, it seems like there is an attempt to just not free the fonts when GC is invoked. I think the solution in this patch seems a little simpler, but possibly means that the fonts are initialized every time the frame count goes from 0 to 1 or more instead of just once for the life of the daemon.
bug-gnu-emacs@HIDDEN:bug#77478; Package emacs.
Full text available.Michael Albinus <michael.albinus@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 3 Apr 2025 06:55:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 03 02:55:52 2025
Received: from localhost ([127.0.0.1]:60637 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u0EUR-0005F8-80
for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:55:52 -0400
Received: from lists.gnu.org ([2001:470:142::17]:51366)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <kyle@HIDDEN>)
id 1u0E9V-00049q-N2
for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:34:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kyle@HIDDEN>)
id 1u0E9J-0006lg-8F
for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:34:02 -0400
Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <kyle@HIDDEN>)
id 1u0E9G-0008Su-VH
for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:34:01 -0400
Received: from phl-compute-05.internal (phl-compute-05.phl.internal
[10.202.2.45])
by mailfout.phl.internal (Postfix) with ESMTP id 1E3C413801AB;
Thu, 3 Apr 2025 02:33:56 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
by phl-compute-05.internal (MEProxy); Thu, 03 Apr 2025 02:33:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ambroffkao.com;
h=cc:cc:content-type:content-type:date:date:from:from
:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
:to; s=fm3; t=1743662036; x=1743748436; bh=lVhTGT63UYM/6E2nNhNFX
XHnXEWHja8xzNelD0FaGxE=; b=enm1e1zG52ywVF2K/D2/cM2s7QMQwJKjg1tm9
vdHT34szhPsPWrNsGFKt4fmRk8RZryAopKUZBnYnKO6jZj2mJ4/wdckSYZ3XY7ip
bluVq7V4okrFu9dJ9ilv8+tvLIaGoeWXGmMYBi0vS1cMbdjCYduzBMJnGkCic7P/
MNjb8COPV3P1q6lP9TkrhwENKILaYYnafAWQMTvsmfesmyJ8gXqsmz/rqv3kyug9
Q5h4BRVdFRIkfHgHxgh3mZGduDbuSVMNZqZC9hUuI/Itr4IoRySpL3epp8pFLLrR
SrAqQA2uolujMTTrByUkJ3IX6bVLNammWo93QjyfsqrBZ/WUQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:cc:content-type:content-type:date:date
:feedback-id:feedback-id:from:from:in-reply-to:message-id
:mime-version:reply-to:subject:subject:to:to:x-me-proxy
:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1743662036; x=
1743748436; bh=lVhTGT63UYM/6E2nNhNFXXHnXEWHja8xzNelD0FaGxE=; b=v
G2yY+FH7jRthGO6jZXMhzHFjgA0IOsT7GbkmbUVqBhZjKNSBMKYq28LiG9tl1Ud/
vvudP97lvdo1B6Y+de+kLXh/8o8VqLZM0BqnEFTvGkX/NhV3NnmWplZyC5X84KWC
SeI0b5k6VwHbUK/V8Yuz6aXQ5ie3qmDMcg4jzAX1LLJJkmLBWvEFwMqdAhXm4oXK
A7fHfe2hIxnRzXLMqD6RhwPOv1z5w8LXz8aV+fuScU860abF7BYs6SHWrrC236L0
jihDd48Uhbz80It5wTraW43GHCeMivl+4pXpUn+u+e2a5Vk0xaNq/WAVSf12kKYW
GfkbYAFvKB81PS8/DSoPw==
X-ME-Sender: <xms:0yvuZ_dp9zyeqKdqo8oJfg17S_wXeOqSqf_8_HpBATFq9OgEel5ehg>
<xme:0yvuZ1MkNmjGadvJiSysV0G-seLUwilg-2kFAjZ_hVeCEVoU-RrW0h2YXdcyWc7Xp
GJPWWuM_aI_exfQMXk>
X-ME-Received: <xmr:0yvuZ4hhlHGe0kDzIBSCVjEXGNmVBDb3_LhXVhVfYVnxAQHFdE-Alcaf>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeejkeeiucetufdoteggodetrf
dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
evufffkfggtgesmhdtreertddttdenucfhrhhomhepmfihlhgvucetmhgsrhhofhhfqdfm
rghouceokhihlhgvsegrmhgsrhhofhhfkhgrohdrtghomheqnecuggftrfgrthhtvghrnh
epffehleehheehffdvvefgledugeeijeetheffheeifefhveeiffdvueegueehfeeinecu
vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepkhihlhgvse
grmhgsrhhofhhfkhgrohdrtghomhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhht
phhouhhtpdhrtghpthhtohepkhihlhgvsegrmhgsrhhofhhfkhgrohdrtghomhdprhgtph
htthhopegsuhhgqdhgnhhuqdgvmhgrtghssehgnhhurdhorhhg
X-ME-Proxy: <xmx:0yvuZw8jEcpZFDsorFEq9clBfKXS4iKmn24vUnMM-FGZIiB1wEeVrg>
<xmx:0yvuZ7sr4_5s22VqRqoFgw5E87HzLa-JUKMLVbh0kNMR90d_H2ZEXA>
<xmx:0yvuZ_E8TpsBpjxlA1BBFbV5CDN6Mp4v2alvQH1yaJGdxjvqMXjrcA>
<xmx:0yvuZyMK2gkq9gQesuzXTVd7uBHWeCpoIjGMt9UY60a2iCqViAuVEA>
<xmx:1CvuZ0PzoB5f4pDl0A3GNuOVWFbizu-LHvXpnKS7rS0Yge_MuG7dJLER>
Feedback-ID: id7114994:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
3 Apr 2025 02:33:55 -0400 (EDT)
From: Kyle Ambroff-Kao <kyle@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: Fixes a crash in the Haiku font driver for daemon mode
Date: Wed, 02 Apr 2025 23:33:54 -0700
Message-ID: <86cydtg3e5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=103.168.172.145; envelope-from=kyle@HIDDEN;
helo=fout-a2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Thu, 03 Apr 2025 02:55:50 -0400
Cc: Kyle Ambroff-Kao <kyle@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
--=-=-=
Content-Type: text/plain
Tags: patch
Fix use-after-free bug in the Haiku font driver
* src/haikufont.c: Set objects freed with haikufont_close to NULL so
they will not be reused, which seems to happen in daemon mode when all
frames have been closed and fonts are garbage collected.
In GNU Emacs 30.1 (build 2, amd64-portbld-freebsd15.0, GTK+ Version
3.24.48, cairo version 1.18.2)
System Description: 15.0-CURRENT
Configured using:
'configure --disable-build-details --localstatedir=/var --without-gconf
--without-libsystemd --without-selinux --with-x --enable-acl
--with-cairo --with-dbus --with-gif --with-gnutls --with-gsettings
--with-x-toolkit=gtk3 --with-harfbuzz --with-jpeg
--with-file-notification=kqueue --with-lcms2 --without-m17n-flt
--without-imagemagick --with-mailutils --with-modules
--with-native-compilation=aot --with-sound=oss --without-libotf
--without-pgtk --with-png --with-toolkit-scroll-bars --with-sqlite3
--with-rsvg --with-threads --with-tiff --with-tree-sitter --with-webp
--without-xft --with-xim --with-xml2 --with-xpm --without-xwidgets
--x-libraries=/usr/local/lib --x-includes=/usr/local/include
--prefix=/usr/local --mandir=/usr/local/share/man
--disable-silent-rules --infodir=/usr/local/share/emacs/info/
--build=amd64-portbld-freebsd15.0 'CFLAGS=-O2 -pipe
-fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc13 -isystem
/usr/local/include -fno-strict-aliasing ' 'CPPFLAGS=-isystem
/usr/local/include' 'LDFLAGS= -fstack-protector-strong
-Wl,-rpath=/usr/local/lib/gcc13 -L/usr/local/lib/gcc13 -L/usr/local/lib
''
--=-=-=
Content-Type: text/patch
Content-Disposition: attachment; filename=haiku-font-double-free.diff
commit 05846e17841fce3dbbb8e15fe11d38fe44b3e5e5
Author: Kyle Ambroff-Kao <kyle@HIDDEN>
Date: Wed Apr 2 22:34:26 2025 -0700
Fix use-after-free bug in the Haiku font driver
This fixes a bug in Emacs daemon mode on Haiku. To reproduce:
1. Start emacs with "emacs --daemon"
2. Create a new frame with "emacsclient -c" and then close it.
3. Create a new frame with "emacsclient -c"
Step 3 will cause the Emacs daemon to crash.
KERN: debug_server: Thread 3616 entered the debugger: Debugger call:
`tried to free 0xb960bc9fd0 which points at page 232 which is not an
allocation first page'
The backtrace from Emacs:
heap_free(void*) + 0x35
BFont_close + 0x4d
haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893)
sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242)
garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247)
Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084)
internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *)
+ 0x6c (/Code/emacs/src/eval.c:1699)
safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114)
map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*)
+ 0x2b (/Code/emacs/src/keymap.c:608)
...
It appears that the BFont has already been closed. I think that the
driver is holding on to the pointer to the freed BFont
(into->be_font). This patch addresses this by setting be_font to NULL so
that this pointer will not be freed again.
The same thing applies to info->metrics and info->glyphs, since just
making this change to be_font wasn't enough to avoid crashes.
With this patch I can open and close as many frames as I want without
crashing.
I don't totally understand the interactions here, and I see there are
similar bugs in other font drivers with different workarounds. For
example, in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=16069 which I
found from xfont.c:xfont_close, it seems like there is an attempt to
just not free the fonts when GC is invoked.
I think the solution in this patch seems a little simpler, but possibly
means that the fonts are initialized every time the frame count goes
from 0 to 1 or more instead of just once for the life of the daemon.
diff --git a/src/haikufont.c b/src/haikufont.c
index 7522b92207fa..72dfcc4aa3bf 100644
--- a/src/haikufont.c
+++ b/src/haikufont.c
@@ -890,25 +890,45 @@ haikufont_close (struct font *font)
return;
block_input ();
- if (info && info->be_font)
- BFont_close (info->be_font);
- for (i = 0; i < info->metrics_nrows; i++)
+ if (info)
{
- if (info->metrics[i])
- xfree (info->metrics[i]);
+ if (info->be_font)
+ {
+ BFont_close (info->be_font);
+ info->be_font = NULL;
+ }
+
+ if (info->metrics)
+ {
+ for (i = 0; i < info->metrics_nrows; i++)
+ {
+ if (info->metrics[i])
+ {
+ xfree (info->metrics[i]);
+ info->metrics[i] = NULL;
+ }
+ }
+
+ xfree (info->metrics);
+ info->metrics = NULL;
+ }
+
+ if (info->glyphs)
+ {
+ for (i = 0; i < 0x100; ++i)
+ {
+ if (info->glyphs[i])
+ {
+ xfree (info->glyphs[i]);
+ }
+ }
+
+ xfree (info->glyphs);
+ info->glyphs = NULL;
+ }
}
- if (info->metrics)
- xfree (info->metrics);
-
- for (i = 0; i < 0x100; ++i)
- {
- if (info->glyphs[i])
- xfree (info->glyphs[i]);
- }
-
- xfree (info->glyphs);
unblock_input ();
}
--=-=-=--
Kyle Ambroff-Kao <kyle@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#77478; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.